Add permission checking to UserReferenceFilter

1 files changed, 12 insertions, 3 deletions

diff --git a/lib/gitlab/markdown/user_reference_filter.rb b/lib/gitlab/markdown/user_reference_filter.rb
index eaf4094338b..d6798ee2158 100644
--- a/lib/gitlab/markdown/user_reference_filter.rb
+++ b/lib/gitlab/markdown/user_reference_filter.rb
@@ -78,12 +78,16 @@ module Gitlab
             %(<a href="#{url}" class="#{klass}">@#{user}</a>)
           elsif namespace = Namespace.find_by(path: user)
             if namespace.is_a?(Group)
-              url = group_url(user, only_path: context[:only_path])
+              if user_can_read_group?(namespace)
+                url = group_url(user, only_path: context[:only_path])
+                %(<a href="#{url}" class="#{klass}">@#{user}</a>)
+              else
+                match
+              end
             else
               url = user_url(user, only_path: context[:only_path])
+              %(<a href="#{url}" class="#{klass}">@#{user}</a>)
             end
-
-            %(<a href="#{url}" class="#{klass}">@#{user}</a>)
           else
             match
           end
@@ -112,6 +116,11 @@ module Gitlab
         h.namespace_project_url(project.namespace, project,
                                 only_path: context[:only_path])
       end
+
+      def user_can_read_group?(group)
+        return false if context[:current_user].blank?
+        Ability.abilities.allowed?(context[:current_user], :read_group, group)
+      end
     end
   end
 end